CryptoLocker Technical Details

CryptoLocker is the latest ransomware Trojan that targets computers running Microsoft Windows. CryptoLocker is typically received as an email attachment containing a malicious executable. Once launched, it contacts a command & control server which generates a unique RSA-2048 public/private key pair. The private key is retained on the remote server; the public key is sent to the victim machine. CryptoLocker then recursively finds all document files and encrypts them.

Assuming you pay the ransom to get the private key, you then have to use that key via an .exe provided by the very people who just held your files for ransom.

CryptoLocker Encrypted File Format

Kyrus has reverse engineered the CryptoLocker application to determine how the CryptoLocker file format works and build an open-source decryption engine. The decryption engine only works if you have the private key. Given the encryption algorithms in use by CryptoLocker, there is no known way to recover the private key without paying the ransom.

Each file encrypted by CryptoLocker is encrypted with a unique AES-256 key. The unique symmetric key is then encrypted with the public RSA-2048 key unique to the infected host. Therefore, the only way to decrypt files encrypted with CryptoLocker is to obtain the private RSA-2048 key.

The file format for an encrypted file is as follows:

Offset

Length

Description

0x00

0x14

SHA1 hash of '\x00'*4 followed by the next 0x100 bytes (the "file header")

CryptoLocker Decrypter & Identification

Given the above file format, Kyrus has developed a CryptoLocker identification and decryption tool in Python. The tool can identify CryptoLocker files on a local disk and optionally decrypt them given the private key material.